App meant to track suspected coronavirus cases lets the government track citizen movements, store information in perpetuity, and share the information with any other agency for any other purpose.

Chennai, TAMIL NADU— Aarogya Setu, a Government of India app to track the real-time movements of citizens to determine if they have been in the proximity of COVID-19 patients, vastly expands the surveillance capabilities of the state with few explicit safeguards warned privacy experts and cybersecurity analysts.

An analysis of the app by Defensive Lab Agency, a Paris-based cybersecurity consultancy, offers disturbing insights: The app gathers a user’s identity, tracks their movement in realtime, and also continuously checks if other people who have downloaded the app are in the proximity of the user.

This allows Aarogya Setu to create a social graph of a user by tracking everyone they have been close to. Combining this data with existing government databases — many of which are already seeded with the mobile numbers of citizens — can significantly expand the government’s powers of surveillance, privacy experts said.

Worse, Aarogya Setu’s user agreement states that the data can be used in the future for purposes other than epidemic control if there is a legal requirement. The app’s privacy policy says the personal information harvested by Aargoya Setu will not be shared with “third parties”, but makes clear that this data may be shared with as many agencies as the government sees fit.

“Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions,” the policy states.

Aarogya Setu has been downloaded over 10 million times since it was released last week, largely due to a concerted push by various government ministries. On April 3, for instance, the Ministry of Human Resource Development asked schools to tell parents of students, and their family members to download the app. On April 6, Prime Minister Narendra Modiasked BJP workers to download the app.

“It’s a threat to our constitutional rights,” said Mira Swaminathan, programme officer at the Center for Internet and Society. “When the right to privacy is at risk, the right to freedom of speech and expression is at risk.”

Many countries have developed apps to help enforce social distancing during the COVID-19 pandemic, with varying levels of privacy guarantees. Social distancing is presently the only way to slow down viral transmission while waiting for a vaccine.

While apps can help identify and rapidly quarantine infected individuals, some nations have been better than the others at ensuring the privacy of users. Singapore’s contact tracing app, for example, states clearly that the app doesn’t collect data beyond the bare minimum needed for contact tracing.

Aarogya Setu offers no such assurances.

Every Step You Take

When a person registers on the Aarogya Setu app, they upload their name, phone number, age, sex, profession, travel history, and smoking history. The data is encrypted and transferred to a server.

The government assigns a unique identifier to the phone, and when two registered phones are near each other, they exchange unique identifiers, which are stored on government servers. If a person is found be infected with the novel coronavirus, all the people they were near in the past, as identified through their unique ids generated by Aarogya Setu, are notified.

There is little clarity on who can access the data, and how long it will stay on government servers, experts said. Although the privacy policy states the data will only live in “anonymised, aggregated databases,” it is possible to re-identify people, said Frederike Kaltheuner, an independent Mozilla Tech Policy fellow.

Aarogya Setu’s privacy policy states that data will be deleted after 30 days from the phone, but the information collected by the app could exist in perpetuity on the government’s servers, said Jyothi Panday, a security researcher at the Telecom Center of Excellence at Indian Institute of Management, Ahmedabad. The policy states that other than COVID-19 response, the information could be used “to comply with a legal requirement.”

India does not have a data protection law, so people cannot hold app developers accountable for privacy violations.

It is also unclear which government agency is overseeing the database and data collection.

“Who is the nodal ministry that will be organizing and coordinating this data and then sharing it further with other government agencies?” she said.

The concern of privacy activists is that the government could, under the guise of a pandemic and in the absence of a data protection law, expand its powers of surveillance. For instance, surveillance company Staqu, which supplies a number of state governments and police authorities with facial surveillance technology, has developed a way to identify people who aren’t wearing masks or respecting the COVID-19 lockdown, according to an interview in YourStory. The company could use the pandemic to expand its network, Panday said.

“I think the bigger concern is, is this going to open the floodgates of mass surveillance later on,” said Pallavi Bedi, policy officer at the Center for Internet and Society.

Other than Aarogya Setu, there are more than 20 apps developed by various states to track and quarantine COVID-19 patients. Punjab’s COVA app, which was also analyzed by Defense Lab, as well as Aarogya Setu both use Google analytics for analysis, but it is unclear who is receiving the data to improve the apps.

Lack of transparency

Contact tracing apps need to be deployed at scale in order to work properly. Enough people need to be online so there aren’t gaps in phone-based surveillance. For this, public trust is key, and it needs to be rooted in transparency, according to a study published in Science.

One way to ensure transparency is to have a transparent and auditable algorithm, the study states. Some nations, such as Singapore and Israel, have posted the app source code in online repositories for independent audit. Researchers can look at the data points being collected and transferred.

In contrast, India’s app is opaque and its source code is not publicly available. The government has also not revealed which companies were involved in developing the app, though the privacy policy states that information will not be transferred to third parties.

The government has since set up a committee that includes industry to adjudicate on privacy concerns that have been raised, according to the Economic Times.

Ultimately, it will be difficult to deploy the app at scale in India, where there were about 462-million smartphone users in 2017, according to PricewaterhouseCoopers. That leaves hundreds of millions of people outside the network.

K Vijayraghavan, Principal Scientific Adviser to the Government of India, told YourStory that a feature phone version of the app would soon be available. To have such a version, the government would need mass access to the data of roughly 500 million Indians from telecom operators, Panday said. The chairman of the Telecom Regulatory Authority is on the app development committee.

“This is the perfect scope for expanding surveillance,” Panday said. “The grounds for expanding surveillance are here at this moment.”

HuffPost India has written to Vijayraghavan and will update this article when he respond.

A previous version of this article incorrectly stated that Aarogya Setu could access a user’s phonebook without permission. That is not the case. The article has been updated, and the error is regretted.